Millions of Barclays customers at risk in NFC attack

Up to 13 million UK customers of Barclays Bank are vulnerable to losing payment card details through a mobile phone attack, ZDNet UK has learned.In a report due to be transmitted on Channel 4 News on Friday, the broadcaster is to say that contactless readers in mobile phones can be reprogrammed to extract card data from Barclays cards when they come near each other, even through clothing, wallets or bags.

Up to 13 million UK customers of Barclays Bank are vulnerable to losing payment card details through a mobile phone attack, ZDNet UK has learned.

In a report due to be transmitted on Channel 4 News on Friday, the broadcaster is to say that contactless readers in mobile phones can be reprogrammed to extract card data from Barclays cards when they come near each other, even through clothing, wallets or bags.

In a test conducted in conjunction with a mobile forensics company, Channel 4 News reporters extracted data from a card without authorisation and used that data to purchase goods online.

In an emailed statement, the broadcaster said: "Thomas Cannon of ViaForensics told Channel 4 News : 'All I did was I tap my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air'."

Channel 4 News was only able to access the details of Barclays-issued Visa cards. Other banks and systems weren't accessible. The UK Card Association says that guidelines state that the card holder's name should not be transmitted.

But Visa and Barclays said it was perfectly fine for people to access all your card details in this way without your permission.

Barclays responded to Channel 4 News's allegations:

"Barclays told Channel 4 News: 'The security of our customers' money and personal details is a top priority at Barclays so we are understandably concerned about these transactions. We are compliant with scheme rules for contactless and our fraud guarantee refunds any fraudulent losses to customers in full. The only information which can be obtained from a chip is the same as that which is printed on the front of the card – this does not include secure information such as PIN or signature (CVV) code.

"The details obtained should not be sufficient to undertake any fraudulent activity but we do depend on retailers upholding the same high standards of security when verifying payment details."